From 8ceb0cf0191f8b374a7f05974b29c6242ce8f752 Mon Sep 17 00:00:00 2001
From: Damian Poddebniak <poddebniak@fh-muenster.de>
Date: Thu, 23 Jul 2020 19:24:45 +0200
Subject: [PATCH] Detect extra data after STARTTLS response and exit

---
 src/low-level/imap/mailimap.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
index bb17119d..4ffcf55d 100644
--- a/src/low-level/imap/mailimap.c
+++ b/src/low-level/imap/mailimap.c
@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
 
   mailimap_response_free(response);
 
+  // Detect if the server send extra data after the STARTTLS response.
+  // This *may* be a "response injection attack".
+  if (session->imap_stream->read_buffer_len != 0) {
+      // Since it is also an IMAP protocol violation, exit.
+      return MAILIMAP_ERROR_STARTTLS;
+  }
+
   switch (error_code) {
   case MAILIMAP_RESP_COND_STATE_OK:
     return MAILIMAP_NO_ERROR;
